Remove deprecated auto-login flags

The auto-login controller flags (--aws-autologin-for-ecr,
--gcp-autologin-for-gcr, --azure-autologin-for-acr) have been deprecated
since v0.25.0 and replaced by the .spec.provider field. This change
removes these flags entirely.

Also removes the unsupported provider check as it's now handled by
the updated fluxcd/pkg/auth package.

Signed-off-by: cappyzawa <[email protected]>

Author: cappyzawa

internal/controller/imagerepository_controller.go

@@ -111,8 +111,7 @@ type ImageRepositoryReconciler struct {
 		DatabaseWriter
 		DatabaseReader
 	}
-	DeprecatedLoginOpts []auth.Provider
-	AuthOptionsGetter   *registry.AuthOptionsGetter
+	AuthOptionsGetter *registry.AuthOptionsGetter
 
 	patchOptions []patch.Option
 }
@@ -270,7 +269,7 @@ func (r *ImageRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Ser
 		Namespace: obj.GetNamespace(),
 		Operation: cache.OperationReconcile,
 	}
-	opts, err := r.AuthOptionsGetter.GetOptions(ctx, obj, involvedObject, r.DeprecatedLoginOpts...)
+	opts, err := r.AuthOptionsGetter.GetOptions(ctx, obj, involvedObject)
 	if err != nil {
 		e := fmt.Errorf("failed to configure authentication options: %w", err)
 		conditions.MarkFalse(obj, meta.ReadyCondition, imagev1.AuthenticationFailedReason, "%s", e)

internal/registry/options.go

@@ -31,9 +31,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/auth"
-	"github.com/fluxcd/pkg/auth/aws"
-	"github.com/fluxcd/pkg/auth/azure"
-	"github.com/fluxcd/pkg/auth/gcp"
 	authutils "github.com/fluxcd/pkg/auth/utils"
 	"github.com/fluxcd/pkg/cache"
 
@@ -57,7 +54,7 @@ type AuthOptionsGetter struct {
 }
 
 func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageRepository,
-	involvedObject *cache.InvolvedObject, deprecatedLoginOpts ...auth.Provider) ([]remote.Option, error) {
+	involvedObject *cache.InvolvedObject) ([]remote.Option, error) {
 	timeout := repo.GetTimeout()
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
@@ -98,36 +95,23 @@ func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageR
 			return nil, err
 		}
 		authenticator, authErr = secret.AuthFromSecret(authSecret, ref)
-	} else {
+	} else if provider := repo.GetProvider(); provider != "generic" {
 		// Build login provider options and use it to attempt registry login.
 		var opts []auth.Option
 		if proxyURL != nil {
 			opts = append(opts, auth.WithProxyURL(*proxyURL))
 		}
-		switch provider := repo.GetProvider(); provider {
-		case aws.ProviderName, azure.ProviderName, gcp.ProviderName:
-			// Support new features (service account and cache) only for non-deprecated code paths.
-			if repo.Spec.ServiceAccountName != "" {
-				serviceAccount := client.ObjectKey{
-					Name:      repo.Spec.ServiceAccountName,
-					Namespace: repo.GetNamespace(),
-				}
-				opts = append(opts, auth.WithServiceAccount(serviceAccount, r.Client))
-			}
-			if r.TokenCache != nil {
-				opts = append(opts, auth.WithCache(*r.TokenCache, *involvedObject))
-			}
-			authenticator, authErr = authutils.GetArtifactRegistryCredentials(ctx, provider, repo.Spec.Image, opts...)
-		default:
-			// Handle deprecated auto-login controller flags.
-			for _, provider := range deprecatedLoginOpts {
-				if _, err := provider.ParseArtifactRepository(repo.Spec.Image); err == nil {
-					authenticator, authErr = authutils.GetArtifactRegistryCredentials(ctx,
-						provider.GetName(), repo.Spec.Image, opts...)
-					break
-				}
+		if repo.Spec.ServiceAccountName != "" {
+			serviceAccount := client.ObjectKey{
+				Name:      repo.Spec.ServiceAccountName,
+				Namespace: repo.GetNamespace(),
 			}
+			opts = append(opts, auth.WithServiceAccount(serviceAccount, r.Client))
+		}
+		if r.TokenCache != nil {
+			opts = append(opts, auth.WithCache(*r.TokenCache, *involvedObject))
 		}
+		authenticator, authErr = authutils.GetArtifactRegistryCredentials(ctx, provider, repo.Spec.Image, opts...)
 	}
 	if authErr != nil {
 		return nil, authErr

internal/registry/options_test.go

@@ -260,6 +260,14 @@ func TestNewAuthOptionsGetter_GetOptions(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "unsupported provider",
+			imageRepoSpec: imagev1.ImageRepositorySpec{
+				Image:    testImg,
+				Provider: "unsupported-provider",
+			},
+			wantErr: true,
+		},
 	}
 
 	for _, tt := range tests {

main.go

@@ -17,7 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"errors"
 	"fmt"
 	"os"
 	"time"
@@ -38,9 +37,6 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	"github.com/fluxcd/pkg/auth"
-	"github.com/fluxcd/pkg/auth/aws"
-	"github.com/fluxcd/pkg/auth/azure"
-	"github.com/fluxcd/pkg/auth/gcp"
 	pkgcache "github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/runtime/acl"
 	"github.com/fluxcd/pkg/runtime/client"
@@ -96,9 +92,6 @@ func main() {
 		storageValueLogFileSize int64
 		gcInterval              uint16 // max value is 65535 minutes (~ 45 days) which is well under the maximum time.Duration
 		concurrent              int
-		awsAutoLogin            bool
-		gcpAutoLogin            bool
-		azureAutoLogin          bool
 		aclOptions              acl.Options
 		rateLimiterOptions      helper.RateLimiterOptions
 		featureGates            feathelper.FeatureGates
@@ -113,11 +106,6 @@ func main() {
 	flag.Uint16Var(&gcInterval, "gc-interval", 10, "The number of minutes to wait between garbage collections. 0 disables the garbage collector.")
 	flag.IntVar(&concurrent, "concurrent", 4, "The number of concurrent resource reconciles.")
 
-	// NOTE: Deprecated flags.
-	flag.BoolVar(&awsAutoLogin, "aws-autologin-for-ecr", false, "(AWS) Attempt to get credentials for images in Elastic Container Registry, when no secret is referenced")
-	flag.BoolVar(&gcpAutoLogin, "gcp-autologin-for-gcr", false, "(GCP) Attempt to get credentials for images in Google Container Registry, when no secret is referenced")
-	flag.BoolVar(&azureAutoLogin, "azure-autologin-for-acr", false, "(Azure) Attempt to get credentials for images in Azure Container Registry, when no secret is referenced")
-
 	clientOptions.BindFlags(flag.CommandLine)
 	logOptions.BindFlags(flag.CommandLine)
 	leaderElectionOptions.BindFlags(flag.CommandLine)
@@ -131,12 +119,6 @@ func main() {
 
 	logger.SetLogger(logger.NewLogger(logOptions))
 
-	if awsAutoLogin || gcpAutoLogin || azureAutoLogin {
-		setupLog.Error(errors.New("use of deprecated flags"),
-			"autologin flags have been deprecated. These flags will be removed in a future release."+
-				" Please update the respective ImageRepository objects with .spec.provider field.")
-	}
-
 	if err := featureGates.WithLogger(setupLog).SupportedFeatures(features.FeatureGates()); err != nil {
 		setupLog.Error(err, "unable to load feature gates")
 		os.Exit(1)
@@ -265,31 +247,19 @@ func main() {
 		}
 	}
 
-	var deprecatedLoginOpts []auth.Provider
-	if awsAutoLogin {
-		deprecatedLoginOpts = append(deprecatedLoginOpts, aws.Provider{})
-	}
-	if azureAutoLogin {
-		deprecatedLoginOpts = append(deprecatedLoginOpts, azure.Provider{})
-	}
-	if gcpAutoLogin {
-		deprecatedLoginOpts = append(deprecatedLoginOpts, gcp.Provider{})
-	}
-
 	authOptionsGetter := &registry.AuthOptionsGetter{
 		Client:     mgr.GetClient(),
 		TokenCache: tokenCache,
 	}
 
 	if err := (&controller.ImageRepositoryReconciler{
-		Client:              mgr.GetClient(),
-		EventRecorder:       eventRecorder,
-		Metrics:             metricsH,
-		Database:            db,
-		ControllerName:      controllerName,
-		TokenCache:          tokenCache,
-		AuthOptionsGetter:   authOptionsGetter,
-		DeprecatedLoginOpts: deprecatedLoginOpts,
+		Client:            mgr.GetClient(),
+		EventRecorder:     eventRecorder,
+		Metrics:           metricsH,
+		Database:          db,
+		ControllerName:    controllerName,
+		TokenCache:        tokenCache,
+		AuthOptionsGetter: authOptionsGetter,
 	}).SetupWithManager(mgr, controller.ImageRepositoryReconcilerOptions{
 		RateLimiter: helper.GetRateLimiter(rateLimiterOptions),
 	}); err != nil {